Lock it Up! 6 Practical Tips for Cyber Security at Smaller FIs

There is a reckoning coming for smaller financial institutions when it comes to cyber security. Until this year, online thieves have mostly focused on larger institutions in the country because of the amount of personal and financial information they hold. However, that trend is changing.

In an article titled “Large Banks Team Up in War Against Cyberthieves” in the Aug. 10, 2016 edition of the Wall Street Journal, Sr. Special Writer Robin Sidel notes that “eight of the largest U.S. banks are forming a group that seeks to tackle the growing cyberthreat.”

While this indicates more urgency to the security environment that most banks have been slow to adapt to, it does leave one nagging question: what about smaller financial institutions?Most of these banks don’t have the dollars or manpower to put toward security like the large national banks do. And, according to a July report from Beazley, smaller financial institutions are now squarely in cyberthieves’ crosshairs.

Percentage of hacking/malware attacks involving FIs for all of 2015- 27 percent

Percentage of hacking/malware attacks involving FIs for the first half of 2016- 43 percent

Banks and credit unions with less than $35 million in annual revenues accounted for 81 percent of hacking and malware breaches at financial institutions in 2016, a major increase over the 54 percent of incidents in this industry in 2015

So, what exactly should management at these smaller institutions be considering to minimize their risk? Here are some tips from John Unsen, Director of Operations at VGM Forbin.

#1- Beware of Open Source Website Solutions The phrase “open source” refers to CMS solutions whose code is widely available and easily manipulated. Popular open source CMS platforms include WordPress, Joomla and Drupal to name a few. On the other hand, closed source or proprietary systems are far more secure. For example, Forbin’s BankWeb™ CMS was developed in-house and has been reviewed for security flaws by a trusted third party.

#2- Make Sure You are Using a Compliant Website Host There are a couple of key things to look for with your hosting facility or data center where your website is hosted. They should be SSAE 16 compliant (Type 1 or Type 2) and should undergo SOC I or SOC II audits yearly to prove they are in compliance. There are also internal IT protocols that must be followed for compliance as well, which hosting facilities can provide and help explain to your internal IT staff.

#3- Vulnerability Scanning & System Monitoring Safe today doesn’t necessarily mean safe tomorrow. We recommend quarterly vulnerability scans at the very least, combined with audits from a trusted third party security provider. We also love Pingdom, a tool which allows you to monitor the “uptime” of your website. This shows how much activity is happening and if you’re experiencing a “denial of service” attack, the most common type of cyber-attack.

#4- Require Standards and Vulnerability Testing for Your SSL Your SSL, or secure socket layer, is what allows any information submitted on your website to be encrypted and sent securely. Set SSL standards and require your hosting provider to get you up to that level. You should also watch out for news on global SSL threats (i.e., Heartbleed) and enforce end-user compliance with modern browsers. Sorry, Internet Explorer 6 users, it’s time to update.

#5- Employee Education This includes everything from physical safeguards to email security, saving work securely and how to handle requests from outside sources. While your employees may love working for your institution, they are also the biggest security threat because of careless mistakes. Most importantly, once you have an education solution in place, don’t forget to enforce it!

#6- Find a Partner that Follows Developmental Best Practices We’re talking due diligence, things such as:

A cyber liability policy

A continuity plan

A list of all third party vendors

Revision history of your website

Image use policy

Additionally, you should vet agencies based on if they have (or don’t have) the following:

A cyber liability policy

A continuity plan

Audited financials

A platform that auto-records your website revision history

Author-publisher roles for the website (dual control to maintain compliance)

Access to top-end security using both automated systems and human testing

This may be a lot of information to take in, especially if your internal IT department is comprised of only one or two individuals. That’s why partnering with a company like VGM Forbin who has security at the forefront of the services they provide is key.

Just remember to act now and be thorough, because the consequences of inaction or choosing the wrong provider can be costly both financially and in terms of your reputation.